McAfee IntruShield SystemEvent.jsp resourceName Variable XSS

2005-07-06T14:57:41
ID OSVDB:17771
Type osvdb
Reporter OSVDB
Modified 2005-07-06T14:57:41

Description

Solution Description

Upgrade to version 2.1.9.17 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Manual Testing Notes

https://[victim]/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=false&faultResourceName=Manager&domainName=Demo&resourceName=<script>alert("There could be trouble ahead")</script><script>alert(document.cookie)</script>&resourceType=Manager&topMenuName=SystemHealthManager&secondMenuName=Faults&resourceId=-1&thirdMenuName=Critical&severity=critical&count=1

References:

Vendor URL: http://www.mcafeesecurity.com/us/products/mcafee/network_ips/category.htm Security Tracker: 1014422 Secunia Advisory ID:15961 Related OSVDB ID: 17772 Related OSVDB ID: 17770 Related OSVDB ID: 17773 Related OSVDB ID: 17774 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-07/0052.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-07/0153.html CVE-2005-2186